As increasing numbers of companies migrate to the cloud, the concerns around perceived risk and cyber security grow

When you put data on the cloud, essentially what you are doing is storing that info on the servers of a service provider instead of on computer hard drives and physical back-up disks at your premises. This allows you greater access to information and massive storage potential, as well as additional backup security. However, it also puts that info dangerously close to experts who know how to creep silently into private servers.

“These days, more and more people are connecting their personal mobile devices onto enterprise networks. I don’t just mean mobile phones and tablets. With the rise and rise of the Internet of Things, the list of ‘things’ connecting to the secure networks of businesses is growing fast,” says Tiaan van Schalkwyk, Associate Director, Cyber Risk Services, Deloitte Africa. The advent of cloud technologies also means that a business’s physical location and where it stores its most valuable asset–its intellectual property and other intangible assets, (such as customer and supplier information)–aren’t necessarily in the same geographic space, adds Van Schalkwyk.

“All these new connections pose a cyber security risk; they represent a new way someone might use to gain unauthorised access to a business’s information assets or to wreak havoc on their systems. But responding to this risk by banning these devices and rejecting cloud-based platforms is short-sighted. Businesses need a flexible, principles-based approach to cyber security–one that allows their network architecture to be open to user-initiated innovation and technologies that improve business performance and efficiency without compromising privacy and security.

“The approach needs to focus on educating users, and instituting a controls environment that allows the business to respond rapidly to threats and for the network to be constantly evolving towards being more secure,” says Van Schalkwyk.

Phillip de Bruyn, Customer Experience Manager at Redstor, highlights the fact that, from a backup perspective, the cloud essentially provides an extension to more traditional methods, such as tapes and disks.

“With so many companies embracing a virtualised environment, the advantage of having organisational data available at an offsite location through cloud backup complements this effectively. But using the cloud does not necessarily mean company data is more accessible or even meets legal requirements,” he says.

Most experts warn that it is prudent to proceed with caution.

“What do Apple, Amazon and Microsoft have in common?” asks Perry Hutton, Regional Vice President, Africa, at Fortinet. “The answer? All three technology giants, considered the gold standard among cloud computing providers, have suffered the ignominy of being breached by hackers.”

Nonetheless, companies are also vulnerable when their data is stored on site.

“One of the biggest concerns for business users is the perceived lack of control that happens when moving data to the cloud,” highlights Colin Thornton, CEO, Dial a Nerd. “Sceptics have always argued that having files (of the electronic variety) stored on their server in a back room somewhere at the office is a much more convenient way of accessing it. Yet, by moving those files to the cloud, the business can invest the time and money spent on maintaining hardware and software to other pursuits. Thanks to how user-friendly technology has become, it really makes no difference to the experience whether you are opening a document from your server or from one in the cloud.”

Cloud storage can dramatically improve convenience and collaboration but, in order to protect your company data, there are a number of issues to be carefully considered. Some of the important considerations are highlighted below.

Refine your requirements and get professionals to assess associated risks

It is not necessary to adopt an all-or-nothing approach to cloud storage and migration of data could be a process. It does, however, pay to devote time to proper planning of exactly what data you will move to the cloud and, ideally, to obtain professional advice regarding your vulnerability to security breaches or cyber crime.

Companies that are just starting to incorporate cloud computing into their IT architecture are not alone, and they shouldn’t feel rushed or try to move too much at one time, says Taj Elkhayat, Regional Vice President Middle East, Turkey and Africa for Riverbed Technology.

“If they are still undecided about migrating to the cloud, now is the time to develop a plan to deliver their business-critical applications over the Internet. Firstly, organisations should determine which applications and information stores they wish to migrate to the cloud and which ones they don’t. For example, an e-commerce company may only need to scale up certain IT resources in order to match the various shopping seasons. However, it would probably want to keep confidential and sensitive data, such as customers’ credit card numbers, in the data centre, where it is entirely under its control.

“Migrating applications to the cloud is not as simple as moving files from local storage hardware to a cloud provider’s platform. This requires re-engineering those apps to ensure they optimally leverage cloud resources, and that they perform just as well (or better) than the existing data centre-based version,” says Elkhayat.

“The findings of the Aon 2016 Captive Cyber Survey report indicate that there is a disparity between companies recognising that cyber is one of the fastest growing and permeating risks, and actually understanding what their individual exposures and coverage needs are,” says Kerry Curtin, Manager: Financial Institutions & Professional Risks at Aon South Africa.

“The important thing is not to guess at this, implementing security measures that best fit your business and that will save you money and provide peace of mind, requires a full assessment of your real security needs,” cautions Jed Hewson, Co-founder of 1Stream.

“What is the information being collected? What is the value of this information and therefore the likelihood of unauthorised access? And possibly most importantly: What risks are involved should this information be accessed without authorisation?

“Based on the likelihood as well as the severity of the threat, the appropriate measures can be put in place. These can range from basic password protection all the way through to out-of-scope data verification, depending on the need identified,” adds Hewson. Having a proactive offensive attitude–rather than a reactive defensive posture–is the best way to keep the opposition occupied and limit their ability to conduct an attack, says Brian Forster, Senior Director at Fortinet, although he adds that nobody knows the network and its vulnerabilities better than those who have put it together in the first place.

“IT security professionals in financial services should look for openings in their own defence via white hat hacking and penetration testing. Since there isn’t a single piece of technology that will be able to stop every threat, those cracks in the system that are both easy access points and lead to sensitive data should be the ones focused on first. Remember, cyber criminals are just human beings looking for the fastest and most financially rewarding way to do their jobs,” says Forster.

The high risks involved make it essential to consult with an insurance professional, in addition to obtaining professional advice on cyber security. While existing forms of insurance sometimes carry a level of coverage, they were not intended to cover the many risks associated with an increasingly digital world.

“Standard policies are often inadequate to cover the likely cost of even a more “standard” security breach, let alone cyber-attack or ‘hacktivism’. Only specialist cyber insurance policies provide extensive cover,” says Kerry Curtin, Manager: Financial Institutions & Professional Risks at Aon South Africa.

“Consulting with a professional risk advisor is an invaluable exercise in assessing your exposures, developing a risk mitigation strategy and transferring that risk to an insurer in order to protect your reputation, data, clients and bottom line,” adds Curtin.

Choose the right service provider

After carefully assessing which data you will be migrating and the relative risks associated with the data you intend to store in the cloud, you will obviously need to decide which cloud service is best suited to your needs, which makes selecting a reputable service provider top of the list of priorities for companies,” says Danny Myburgh, MD of Cynare.

“During vendor selection, ask the cloud vendor what security services it provides and which security vendors it works with,” advises Perry Hutton, Regional Vice President, Africa for Fortinet.“The cloud is a dynamic environment and requires regular updates to the security architecture to stay up with the latest threats. How does the cloud vendor guard against new security exploits and zero-day vulnerabilities?”

Phillip de Bruyn, Customer Experience Manager at Redstor, cautions that, even though improvements might have been made, the speed and accessibility of bandwidth is not yet ideal in South Africa, as well as across the African continent. “While better mobile infrastructure and the expansion of WiFi throughout the country have taken place, companies need to examine how they use connectivity and what impact this has on access to cloud backups,” says De Bruyn. “The real-time nature of business in the digital world means that companies cannot afford to use providers that are too slow or do not perform according to certain service level agreements.”

Consider the contract carefully

Too often companies make the mistake of accepting a boilerplate contract from the service provider. The contract is extremely important, warns Danny Myburgh, MD Cynare. “Consider what ownership you have. If you suspect a breach (more particularly, an internal risk) and want to see who has accessed your company information recently, that is not the time to find out that you don’t have access to the log files and the service provider is unwilling to assist you with that information.”

The global nature of the cloud is another consideration to take into account. “Jurisdictional issues should also be incorporated in the contract. If a server is located abroad the contract should specify what your recourse is in the case of a dispute,” adds Myburgh.

“The biggest mistake any organisation can make is to assume that Service Level Agreements cover data and its availability,” says Phillip de Bruyn, Customer Experience Manager at Redstor. “In the 24x7x365 business cycle, no company can have the luxury of not having access to their critical back-end data. While certain data selections might not necessarily fall under the scope of high availability, others do and not being able to have those cloud backups restored within minutes might cause the organisation considerable reputational and financial loss.”

De Bruyn warns that one of the most difficult things to get right is for the business and the cloud backup provider to agree on how its data is valued and what steps can be taken in the event of a failure to restore files within the agreed-upon parameters.

Manage your internal risks

IT forensics specialists Cynare have seen numerous instances of clear, orchestrated external hacks, for example, in the recent case involving Standard Bank. However, in their experience, in around 80% of cases, an internal person was responsible for the breach.

“Employers should pay more attention to the management of access to that cloud storage,” cautions Danny Myburgh, MD of Cynare. “It is not uncommon to offer a number of employees access to company Dropbox folders, for example, but then fail to rescind the access when an employee leaves. Pay particular attention to issues of access when employees are exiting.”

As a result, it’s worth considering adding new fortifications to the existing security measures you have built around your application’s authentication and log-in processes.

“To fortify the access to your cloud application, you should have a granular data access scheme,” says Perry Hutton, Regional Vice President, Africa, for Fortinet. “You can do so by tying access privileges to roles, company positions and projects. This will add an additional layer of protection when attackers steal your staff’s login credentials.”

On the other side of the spectrum, an employee who is uneducated about security can be just as dangerous to data as any other digital or physical entry point.

“One way to test for employee vulnerabilities is to simply conduct test attacks. Many CIOs will send out fake phishing attacks to see if their employees will provide login credentials or click on malicious links. If a high number of employees fail the test, security teams know it is an area that demands added focus,” says Fortinet Senior Director Brian Forster.

“The role of the C-suite with regards to security has transformed. Cyber security threats put a company’s finances and value at risk, and increase the need for mature strategies to safeguard a company’s data, resources, reputation, and brand. As a strategic business and risk management executive, the C-suite should have significant oversight and guidance in these areas. They can no longer be IT-only considerations,” adds Forster.

Encrypt your sensitive data

Although complete protection against cyber threats cannot be guaranteed, encryption can pay an important role in cloud storage. Data encryption is one of your biggest security allies in the cloud, and it should be non-negotiable when it comes to file transfers and emails.

“While it may not prevent hacking attempts or data theft, it can protect your business and save an organisation from incurring hefty regulatory fines when the dreaded event happens,” says Fortinet’s Hutton.

Ask your cloud vendor about their data encryption schemes. Find out how it encrypts data that is at rest, in use, and on the move.

“To understand what data should be encrypted, it helps to get a handle of where they reside - whether in your cloud vendor’s servers, the servers of third-party companies, employee laptops, office PCs or USB drives,” adds Hutton.